Update Microsoft products for critical vulnerabilities

This information was sent to U-M IT staff groups via email on March 13, 2019. It is intended for U-M IT staff who are responsible for university computers that run any of the Microsoft products listed below, which include Microsoft Windows, Microsoft Office, Internet Explorer, Edge, and more.

Summary

Multiple vulnerabilities have been discovered in Microsoft products, several of which could allow for remote code execution or privilege escalation. Updates to address these vulnerabilities are available from Microsoft. These updates should be applied immediately after appropriate testing.

Problem

Microsoft has announced numerous new security vulnerabilities across multiple Microsoft products. Successful exploitation of the most severe of these could result in an attacker gaining the same privileges as the logged on user or remotely executing malicious code without user interaction. Microsoft has provided updates to address all of the vulnerabilities. These should be applied as soon as possible after appropriate testing.

Threats

News reports indicate that two elevation of privilege vulnerabilities in Windows are being actively exploited in the wild, in some cases these attacks also exploit a Chrome vulnerability to execute arbitrary code. Successful exploitation allows remote attackers to execute arbitrary code with admin privileges on targeted computers after the attacker was able to cause remote code execution through some other means. Several other vulnerabilities patched by this month’s Microsoft updates do allow remote code execution without user interaction or existing access to the system by the attacker.

Affected Systems

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office SharePoint
  • ChakraCore
  • Team Foundation Server
  • Skype for Business
  • Visual Studio
  • NuGet

Action Items

Apply updates provided by Microsoft immediately after appropriate testing. See Microsoft's links to updates at March 2019 software updates.

How We Protect U-M

This communication is being sent to those across the university who manage machines with Microsoft software on them.

Information Assurance (IA) works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.

IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.

IA provides vulnerability management guidance to the university.

Information for Users

MiWorkspace machines will be patched as soon as possible and will need to be restarted when prompted to ensure all updates have been applied. If you have Microsoft Office, Microsoft Windows, or any of the other products listed in this alert installed on your own devices that are not managed by the university, please check for available updates and install them immediately. We recommend that you set your software to update automatically whenever possible.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.